The Role of a SOC in a Serverless World

The server as we know it is a dying breed. With the advent of Amazon Web Services (AWS) Lambda in November 2015, and the raft of similar Function-as-a-Service (FaaS) platforms which followed it, more and more companies are choosing to migrate into the serverless world. After all, the advantages in scalability, simplicity, and cost-effectiveness are enough to make the head spin and the heart sing – but what does the move mean for security?

While a Security Operations Centre (SOC) traditionally monitors all facets of the site infrastructure, detecting threats and mitigating them as needed, such a comprehensive umbrella is not necessarily required in the serverless environment. Does that mean SOCs are now redundant? Not by a long shot. Here’s how serverless technology is changing and challenging security – and how you can stay one step ahead of the curve.

What is a serverless architecture?

The term “serverless” is actually something of a misnomer, since a server will always be required to provide the base upon which code can be run. With FaaS platforms and similar services, however, there is no single server dedicated to hosting and running a specific app, website or piece of code. Instead, the platform elastically and fluidly allocates servers to meet the needs of individual functions as and when they are needed, before immediately shutting them down when they are not.

This results in incredible cost savings, since users need only pay for the platform during the time it is actually being used. It also offers superb scalability, since the platform is equally well-equipped to deal with one demand per month or thousands every second. Moreover, platforms like Azure and AWS allow performance using several different code types (including C#, Go, Java, Node.js and Python), giving developers greater freedom and ultimately more time to work on creating the apps and programmes that will benefit their interests.

How does serverless serve security?

In some respects, choosing a serverless architecture can take a hefty workload off the SOC. For starters, there’s no need for the security team to keep up to date on the seemingly never-ending stream of patches and updates which servers require to maintain their defences against the ever-involving tactics, threats and procedures (TTPs) used by hackers to try and gain access to your vital information. All of these patches are taken care of by the platform itself.

Meanwhile, contrary to what you have seen in films and on TV, threat actors aren’t able to instantaneously gain access to a secure system through an open back door and immediately bring it to its knees. High-profile attacks such as the WannaCry assault on the NHS or the leakage of the Panama Papers take months (or even years) to occur, as hackers gently insinuate themselves into the online fabric of a database and probe for more information without raising suspicion. Since serverless architecture immediately demolishes the platforms after they have been used – sometimes within seconds of creating them – the window of opportunity for potential threat actors is ever smaller.

Finally, the threat of Denial of Service (DoS) attacks is also mitigated by the scalability of serverless architecture. Whereas hackers have long tried to overload a system’s server capacities with a tsunami of computing- or memory-intensive requests – and thereby depriving genuine users of accessing the site – the almost infinite capacity of a serverless architecture means that this particular approach is now futile.

How does serverless destabilise security?

With those benefits in mind, you might be tempted to think that there is no place for an SOC in a serverless world… but nothing could be further from the truth. In reality, the dangers posed by cyber criminals and the responsibilities of the security team have simply shifted. Perhaps the primary challenge posed by a migration to a serverless system is the difficulty of keeping track of every aspect of the transitory, multifaceted beast that such apps and programmes have now become.

This is because serverless apps are seldom served by FaaS systems alone. Instead, they rely on a sprawling web of third party services and functions, each of which increases the surface area that is vulnerable to attack. Since hackers can no longer gain access via the traditional route of server infiltration, they will be likely to focus their attention elsewhere. This new “weakest link” could be situated within the functions employed by the app, within the data which powers it or even within the code itself.

Keeping on top of all of these various different facets, even as they are constantly mutating and shifting within the platform, can be an exhausting and seemingly insurmountable challenge. That’s especially true for companies who have only recently made the leap from server to serverless architecture and who might not have the knowledge, experience or resources to devote to enabling their SOC to do its job properly – but failure to prepare for a threat is akin to welcoming it through the back door with a glass of champagne and a blank cheque in hand.

Quorum Cyber can help

If all of this feels a little overwhelming, don’t panic. As cloud-native security professionals, Quorum Cyber are better-placed than anyone to know how to handle the new-fangled threats posed by serverless apps and programmes.

From vetting your source code to our own Cloud Security Operations Centre Managed Service, ‘Net’ - who better to help you in this Brave New (Cloud-Based) World, than ones who were born in the cloud themselves? To learn more about how we can keep you protected in any environment, get in touch with us today.